11
Nov
17

Can A QSA Rely On An ISA’s Assessment Work?

Questions have been asked at various Community Meetings over the years regarding reliance on internal and external audits, but none of us discussing this question could remember anyone asking the Council about ISAs.  The reason this issue repeatedly comes up is due to organizational audit fatigue.

With standards such as PCI, NIST, ISO and the like, some organizations can be under constant and never-ending audits.  To add to this audit onslaught, the personnel involved are, in a lot of cases, covering the same topics over and over and over.  For the people involved, these endless audits become very annoying as these people are interrogated over the same topics time and again.

For the record, when the Council has been asked about internal and external auditor results, the answer has always been an emphatic “No”.  That answer has, of course, been met with groans and complaints from the audiences that the Council is arrogant and unrealistic in how they approach assessments.  While some of these complaints are on point for policies, access controls and physical controls, there are some PCI requirements such as those in sections 1, 2, 10 and 11 that are unique in the level of detail explored and are not covered in that same level of detail in other standards’ work programs.  Both the Council and the people making complaints have their points.

So, we come back to the original question about ISAs.  In theory, ISAs are provided the same training as a QSA by the PCI SSC.  The only difference between a QSA and an ISA is that an ISA is employed by the organization being assessed.  As a result, you would assume that all things being equal, a QSA should be able to rely on an ISA’s assessment work after a review of that work.

Nope!

According to the response we got back from the Council, a QSA must first ask the entity receiving the assessment if they can rely on an ISA’s assessment work.

QSAs are told not to question the work of other QSAs.  But we need to ask permission to trust the work of an ISA?  You are required to trust one, but cannot trust the other?  What kind of nonsense is this?

With answers like this, you start to wonder what the purpose of the PCI SSC is in the scheme of PCI.

And we all though the discussion about “Not Tested” was ridiculous.

Advertisements

8 Responses to “Can A QSA Rely On An ISA’s Assessment Work?”


  1. 1 Noor
    November 14, 2017 at 10:07 AM

    As a PCI ISA myself, there is a lot of pressure on us to accommodate. When a QSA makes a point, Management/ teams have to follow and if they are not happy, they have to change the QSA’s firm . Yes, QSAs come with different judgments and they do miss the point many times but their strength is their in-dependency. I tried to combine different assessments to reduce the audit fatigue, my challenge is always the scope. Even the way each standard defines the scope is different (ex Financial audit: applications involved in the business processes that may impact the integrity of the financial reporting).
    Except the policies and the processes, the evidences required from the different systems are different.

  2. 2 Bill Membery
    November 13, 2017 at 4:30 AM

    What an excellent point and totally agree as audit overload for 27k, ISAE3402, PCI, ISO9k, SOX etc occurs in all large organisations, perhaps some standardisation and acceptance of controls around, Risk, BCP, Incident Management, Change Management and Service Delivery is in order as these are the ones that are frequently in all standards repeated and waste, time, costs and money.

    • November 13, 2017 at 6:14 AM

      Wholeheartedly agree with that, BUT … You need all the players at the table and the Council has repeatedly said they want nothing to do with it. In years past the AICPA, ISACA and other standards setting bodies have asked for meetings and the PCI SSC has supposedly rejected them.

  3. 4 Antipode
    November 12, 2017 at 4:41 PM

    Yeah, very strange statement from the SSC. Like you I assumed the trust chain of other QSA’s work extended to ISAs (who are the same in all but name).

    I guess an ISA is much more likely to lie on behalf of their employer. I completed an assessment last year for a L2 merchant who had previously been using their ISA (made redundant). Fully compliant for 3 years running, they weren’t at all surprised when I assessed them in the low 50’s %. The Acquirer wasn’t impressed, and it was pretty obvious what had been going on.

    I’ve seen other QSAs miss some fairly obvious things before, but I’ve never suspected any QSA of lying on behalf of a customer.

    • November 13, 2017 at 6:17 AM

      The biggest problems I have encountered with ISAs is their ability to properly scope the environment and their technical skills in understanding network device/server configurations and what is secure.

    • November 13, 2017 at 6:19 AM

      In my experience ISAs do not lie but they do have inexperience in conducting a proper PCI assessment because it is so different from any other assessments or audits they may have been involved.

  4. 7 PIN Head
    November 11, 2017 at 4:22 PM

    I like your post Guru. I have been involved with PIN security device qualification and key management well before the PCI SSC existed. Recently we helped a major retailer setup a PCI P2PE merchant managed solution. This same retailer has a compliant PIN key injection facility in place and when we asked the QSA if they could use the PCI PIN report as evidence that we had documented procedures, and are followed, for P2PE key management, the answer was NO!. Explanation was that PCI does not control the PCI PIN security requirements. This of course was laughable, but the meaning was that PCI PIN ‘validation’ is managed under one of the brands and PCI P2PE is listed under the PCI SSC domain.

    I have to tell you that it is very frustrating as a key management and security expert to have to deal with the various flavors of PCI requirements. If they won’t even take evidence of their own requirements to scale across different implementations, I can understand the frustration for those that have to meet even high standards and yet still have to go through the all important protection of credit card information which the brands have somehow made it the acceptors, of the very weak payment product, the responsible party.

    Regards,
    PIN head

    • November 11, 2017 at 4:29 PM

      Actually, the council is in the process of taking over the PIN standard for the card brands, so next year that will not be the case.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Announcements

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

November 2017
M T W T F S S
« Oct    
 12345
6789101112
13141516171819
20212223242526
27282930  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,898 other followers


%d bloggers like this: